From 72ee17c5ca01e6218ed867d0795d49a142b9cfc9 Mon Sep 17 00:00:00 2001
From: Paulo Gomes <Paulo.Gomes.uk@gmail.com>
Date: Wed, 11 Sep 2019 19:30:32 +0100
Subject: [PATCH] Adding recommendations from tallclair.

---
 cluster/addons/dns/kube-dns/kube-dns.yaml.base | 5 +----
 cluster/addons/dns/kube-dns/kube-dns.yaml.in   | 5 +----
 cluster/addons/dns/kube-dns/kube-dns.yaml.sed  | 5 +----
 3 files changed, 3 insertions(+), 12 deletions(-)

diff --git a/cluster/addons/dns/kube-dns/kube-dns.yaml.base b/cluster/addons/dns/kube-dns/kube-dns.yaml.base
index 0a85f9ca8c0..90a700eceff 100644
--- a/cluster/addons/dns/kube-dns/kube-dns.yaml.base
+++ b/cluster/addons/dns/kube-dns/kube-dns.yaml.base
@@ -82,13 +82,12 @@ spec:
       labels:
         k8s-app: kube-dns
       annotations:
-        seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
+        seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
         prometheus.io/port: "10054"
         prometheus.io/scrape: "true"
     spec:
       priorityClassName: system-cluster-critical
       securityContext:
-        runAsNonRoot: true
         supplementalGroups: [ 65534 ]
         fsGroup: 65534
       tolerations:
@@ -198,8 +197,6 @@ spec:
           mountPath: /etc/k8s/dns/dnsmasq-nanny
         securityContext:
           allowPrivilegeEscalation: false
-          readOnlyRootFilesystem: false
-          runAsNonRoot: false
           capabilities:
             drop:
               - all
diff --git a/cluster/addons/dns/kube-dns/kube-dns.yaml.in b/cluster/addons/dns/kube-dns/kube-dns.yaml.in
index 4c10cfc50af..2b6f7bf5f81 100644
--- a/cluster/addons/dns/kube-dns/kube-dns.yaml.in
+++ b/cluster/addons/dns/kube-dns/kube-dns.yaml.in
@@ -82,13 +82,12 @@ spec:
       labels:
         k8s-app: kube-dns
       annotations:
-        seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
+        seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
         prometheus.io/port: "10054"
         prometheus.io/scrape: "true"
     spec:
       priorityClassName: system-cluster-critical
       securityContext:
-        runAsNonRoot: true
         supplementalGroups: [ 65534 ]
         fsGroup: 65534
       tolerations:
@@ -198,8 +197,6 @@ spec:
           mountPath: /etc/k8s/dns/dnsmasq-nanny
         securityContext:
           allowPrivilegeEscalation: false
-          readOnlyRootFilesystem: false
-          runAsNonRoot: false
           capabilities:
             drop:
               - all
diff --git a/cluster/addons/dns/kube-dns/kube-dns.yaml.sed b/cluster/addons/dns/kube-dns/kube-dns.yaml.sed
index 6c3c96140c4..86e740ec79c 100644
--- a/cluster/addons/dns/kube-dns/kube-dns.yaml.sed
+++ b/cluster/addons/dns/kube-dns/kube-dns.yaml.sed
@@ -82,13 +82,12 @@ spec:
       labels:
         k8s-app: kube-dns
       annotations:
-        seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
+        seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
         prometheus.io/port: "10054"
         prometheus.io/scrape: "true"
     spec:
       priorityClassName: system-cluster-critical
       securityContext:
-        runAsNonRoot: true
         supplementalGroups: [ 65534 ]
         fsGroup: 65534
       tolerations:
@@ -198,8 +197,6 @@ spec:
           mountPath: /etc/k8s/dns/dnsmasq-nanny
         securityContext:
           allowPrivilegeEscalation: false
-          readOnlyRootFilesystem: false
-          runAsNonRoot: false
           capabilities:
             drop:
               - all